In article <20040625150532.1a6d6e60.davem@redhat.com>,David S. Miller <davem@redhat.com> wrote:>RFC2385 MD5 hashing support is going in soon, and for the application where>the vulnerability actually matters (BGP sessions between backbone routers)>MD5 clears that problem right up and they're all using MD5 protection already>anyways.

MD5 protection on BGP sessions isn't very common yet. MD5 uses CPU,and routers don't usually have much of that. Which means that now anMD5 CPU attack is possible instead of a TCP RST attack.

The "TTL hack" solution is safer. Make sure sender uses a TTLof 255, on the receiver discard all packets with a TTL < 255.You can use iptables to implement that on a Linux box.